Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Solved
Login with QR - a risk?
Hello,
I have a concern on the login with QR.
- I’ve read how it securely sends my secret key and master password
- and how I need to verify on the approver device
- but if someone had my password manager open or even forces me (say biometric unlock) to open then they could login on their device
- They would go their separate way with their device
- disconnect from the internet so my unlink or secret key change would make no difference
- and view away all my content.
given this is there a way I can turn that option off.
I haven’t tested yet but if 2FA is on does that still need to be entered? I guess that’s a potential solution.
Hello security1010! 👋
Thanks for the question! Signing in to 1Password with a QR code is secure, you can find more information here:
If someone gets access to your 1Password account then they would have access to all of your items even without the QR code feature. They could take screenshots of your items and save those without you knowing. The best way to protect yourself is to make sure that 1Password is locked when you're not using it: How to set 1Password to lock automaticallyYou can also enable two-factor authentication using a security key for your account. When enabled, you'll still need to provide your security key even when signing in using a QR code (this does not apply to two-factor authentication using a TOTP authenticator app for family/individual accounts): Turn on two-factor authentication for your 1Password account
Once you sign in to a new device using a QR code, you'll receive an email letting you know that your 1Password account has been accessed from a new device, and you'll see that new device listed on your profile (in the top right corner) when logging into and accessing 1Password on the web.
I hope that helps.
-Dave
16 Replies
I'm trying to understand the security implications of using the QR code to authenticate a device.
Is there anything there to prevent an attacker from loading 1password on their device, copying the QR code, creating a phishing site, and getting me to scan it?
If I understand, FIDO2 devices like Yubikey will verify the origin, so it should not fill in the details to the phishing site. Passkeys also verify the origin.
However, if I scan a QR code, no TFA is presented and it is up to me to verify that the website is actually valid.
I understand the risk is relatively low since I rarely need to authenticate a new device, but the QR code seems inherently riskier than using a password / security key / FIDO2 device.
- 1P_Dave
Moderator
Signing in to your 1Password account using a QR code is secure. Even if someone were to take a screenshot of the QR code the following protections apply:
- They have to convince you to open the 1Password app on a device that you're already signed in and use that app to scan a QR code. Just using the normal camera app won't work.
- The QR code is time-bound and regularly invalidated so taking a screenshot and then trying to trick you later won't work. Any attack would have to happen in real-time.
- You have to enter a confirmation code or accept a prompt after scanning the QR code in order to confirm sign-in. At this point you'll also be told information about the device that you're signing into. Just scanning the QR code won't automatically sign you in.
That being said, different people have different threat models. If you add a security key to your 1Password account then that security key will always be required when signing into a new device using a QR code: Use your security key as a second factor for your 1Password account-Dave
Thanks for the information. I tried it again. I think it is still a phishing risk. I wasn't able to confirm the information about physical security key as 2FA.
I have a 1password account with 2FA
- Authenticator App
- Yubikey physical security key
The App is installed on my phone.
Steps
- Visit 1password.com in an private mode window on a computer
- Go to the login page
- Scan the QR code on my phone
- The phone App provides browser, city, and country
- Accept the authentication
- I'm logged in
I never was asked to use my physical security key. I wasn't asked for the Authenticator app either. So, no 2FA on the computer browser. Authenticating into the App was all that was required.
All of the information provided through the QR code process is phishable and requires human verification.
- The malicious website can proxy (in real time) the QR code
- The malicious website can transmit all the data from the victim when they visit a malicious site to the attacker's system. This includes the browser information (user agent) and IP address or location (if the user provides permission). The IP can provide a close enough match to a city. This is the same information that 1password displays in the app and it gets it the same way an attacker could.
So, this means the user has to hand-verify the URL. If they type 1password in incorrectly, use a malicious link, etc, they are phished.
The phishing resistance of FIDO2 and passkeys comes from the automation of the URL / origin verification. And that is left to the user here.
Am I missing something / misunderstanding?
Based on my testing, I should really only ever authenticate a device with my physical key if possible.
If I were to use the physical key, I need to provide the username and secret manually (both phishable), but then the physical key will refuse to authenticate.
I have 2FA with an authenticator app as a backup in case the physical key is lost or breaks. If I choose to use the QR code or authenticator app, I open myself up to phishing.
Thanks1P_Dave
So sounds like 2FA is a must.
Interesting it wasn’t on/required to setup by default from the start.
All clear though. Thanks.
- 1P_Dave
I believe that most services allow customers the choice of whether to enable two-factor authentication due to the additional work and maintenance of the second factor that is required. That being said, 1Password Business does include an option for administrator to require two-factor authentication for all team members.
Enabling two-factor authentication using a hardware security key is a great step to take if you'd like that additional protection. You can read more on our blog: Protecting your 1Password account with multi factor authentication
Let me know if you have any other questions in the future.
-Dave
I just tested this on a laptop - I opened a browser in incognito - was able to sign in, no 2FA needed.
- 1P_Dave
Hello security1010! 👋
Thanks for the question! Signing in to 1Password with a QR code is secure, you can find more information here:
If someone gets access to your 1Password account then they would have access to all of your items even without the QR code feature. They could take screenshots of your items and save those without you knowing. The best way to protect yourself is to make sure that 1Password is locked when you're not using it: How to set 1Password to lock automaticallyYou can also enable two-factor authentication using a security key for your account. When enabled, you'll still need to provide your security key even when signing in using a QR code (this does not apply to two-factor authentication using a TOTP authenticator app for family/individual accounts): Turn on two-factor authentication for your 1Password account
Once you sign in to a new device using a QR code, you'll receive an email letting you know that your 1Password account has been accessed from a new device, and you'll see that new device listed on your profile (in the top right corner) when logging into and accessing 1Password on the web.
I hope that helps.
-Dave
